Description

Implementation of Quebec data protection regime

On 22 September 2023, the Quebec data protection regime (projet de loi 64) is implemented. The Act introduces a new notification regime in case of data breaches. By this day, companies will have to have implemented the following obligations. Companies must set up data governance processes, enable the transfer of personal information, instruct employees about the new privacy regime and establish internal policies for the management of data. The act also specifies the cases in which a privacy assessment is required and the sanctions in case of non-compliance.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
subnational
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2020-06-12
under deliberation

On 12 June 2020, the Legislative proposal (projet de loi 64) aiming to reform and modernise the dat…

2021-09-21
adopted

On 21 September 2021, the legislative proposal for a data protection regime (projet de loi 64) is a…

2023-09-22
in force

On 22 September 2023, the Quebec data protection regime (projet de loi 64) is implemented. The Act …

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
corporate data (all forms): data collection
Regulatory tool
User right to withdraw consent
User right to access personal data
User consent: Other requirement
User right to deletion of personal data
User right against automated decision making
Sanctions
Fine
Regulated subjects
1
corporate data (all forms): data processing
Regulatory tool
Risk or other impact assessment requirement
User right to information about third-parties, with which data has been shared
Sanctions
Fine
Regulated subjects
1
corporate data (all forms): storage (any form)
personal data (all forms): data collection
personal data (all forms): data processing
personal data (all forms): storage (any form)

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

corporate data (all forms): data collection

corporate data (all forms): data processing

corporate data (all forms): storage (any form)

personal data (all forms): data collection

personal data (all forms): data processing

personal data (all forms): storage (any form)

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.